LYNX-DEV Re: NSA's opinion on what it's legal to do (fwd)

[Michael Richardson]

  This message was posted to the IPsec list. It may shed some light
on another view about incorporating SSL hooks.
  I still favour the isolate and replace entire file solution. But,
I also consider this a "hook"

Forwarded message:
> From address@hidden Thu Oct 24 10:12:49 1996
> Message-Id: <address@hidden>
> To: Karl Fox <address@hidden>
> cc: address@hidden, address@hidden, address@hidden
> Subject: Re: NSA's opinion on what it's legal to do
> In-reply-to: <address@hidden> 
> Date: Wed, 23 Oct 1996 16:14:38 -0700
> From: John Gilmore <address@hidden>
> Sender: address@hidden
> Precedence: bulk
> 
> > As to exporting development, the NSA told us that not only couldn't we
> > export source with any kind of hook for encryption, we couldn't even
> > hire someone outside of the country to add encryption to an existing
> > product without running afoul of the U.S. laws.  Of course, I'm not a
> > lawyer, and am not suggesting that their claims were necessarily valid.
> 
> I am stating, not suggesting, that their claims are deliberately invalid.
> 
> The NSA regularly lies to people who ask it for advice on export control.
> They have no reason not to; accomplishing their goal by any legal means
> is fine by them.  Lying by government employees is legal.
> 
> NSA recently "distanced itself" from statements made by an NSA
> employee to Dan Bernstein, plaintiff in our lawsuit to overturn the
> export controls.  In an official submission to the court, they cited
> court cases supporting the position that the advice that government
> employees give to citizens is not binding on the government and does
> not define the government's policy.
> 
> One thing this employee had said to Dan, when he called up asking for
> advice about his crypto export, was that it wasn't legal to publish
> export-controlled technical data "with the intent" that it leave the
> country, even though published materials are exempt from the export
> controls on technical data.  NSA now finds that position hard to
> defend in court, so they are claiming it never was their "official"
> position; their employee must simply have been mistaken.  We
> tape-recorded their employee making the statement (with permission),
> so they couldn't simply deny that he'd said it.
> 
> Karl, see what happens when you ask for NSA to restate their opinion,
> in writing.
> 
> Jerry Rainville of NSA did a tremendous job in this regard a few years
> back.  He convinced the standards committee for digital cellphones
> that if they even discussed encryption in open meetings, they would
> violate the ITAR.  It was all complete bullshit, of course, but the
> committee believed it.  The result is that digital cellphones ended up
> with no privacy.  Just what NSA wanted -- with almost no effort on
> their part!
> 
> In short, if you rely on NSA for legal advice, you have a malicious
> and untrustworthy lawyer.  Get your own export lawyer!  Since you're
> in Ohio, I suggest talking to Peter Junger's lawyers.  Peter is a law
> prof at Case Western who is also challenging the ITAR in court. Try:
> Gino Scarselli, <address@hidden>, +1 216 291 8601; or
> Raymond Vasvari, <address@hidden>, +1 216 522 1925.
> 
>       John
> 
> PS: Whether you can "export source with any kind of hook for
> encryption" is at the heart of our court case (see
> http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/).  Our judge has
> already ruled that publication of source code is protected by the
> First Amendment.  The NSA "hook" doctrine (that they can control the
> distribution of source code that doesn't even include crypto, just
> hooks where it might be inserted or called) doesn't stand a chance.
> They are unlikely to prosecute any such case because of the serious
> risk that the law would be invalidated as a result.  Fear, uncertainty
> and doubt serves their purposes much better than a narrow and
> enforceable law would.  Fortunately for us, vague and overbroad laws
> are unconstitutional.
> 
> PPS: Whether you can hire someone outside the country to add
> encryption to an existing product is legal in many circumstances (in my
> own opinion, though lawyers have provided signed opinions of counsel
> concurring with it).  I believe that if the work is done by an outside
> contractor which is less than 50% owned by your company, it's
> definitely legal.  There are probably other circumstances in which
> it's legal as well.  Get a good lawyer to help you figure it out.
> 
> 
> 
> 

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;